Re: Cutting support for OpenSSL 1.0.1 and 1.0.2 in 17~?

Jacob Champion <jacob.champion@enterprisedb.com>

From: Jacob Champion <jacob.champion@enterprisedb.com>
To: Tom Lane <tgl@sss.pgh.pa.us>
Cc: Daniel Gustafsson <daniel@yesql.se>, Thomas Munro <thomas.munro@gmail.com>, Michael Paquier <michael@paquier.xyz>, Postgres hackers <pgsql-hackers@lists.postgresql.org>
Date: 2024-04-03T17:25:36Z
Lists: pgsql-hackers
On Wed, Apr 3, 2024 at 8:29 AM Tom Lane <tgl@sss.pgh.pa.us> wrote:
> I count 3 machines running 1.0.1, 18 running some flavor
> of 1.0.2, and 7 running various LibreSSL versions.

I don't know all the tradeoffs with buildfarm wrangling, but IMO all
those 1.0.2 installations are the most problematic, so I dug in a bit:

  arowana CentOS 7
  batfish Ubuntu 16.04.3
  boa RHEL 7
  buri CentOS 7
  butterflyfish Photon 2.0
  clam RHEL 7.1
  cuon Ubuntu 16.04
  dhole CentOS 7.4
  hake OpenIndiana hipster
  mantid CentOS 7.9
  margay Solaris 11.4.42
  massasauga Amazon Linux 2
  myna Photon 3.0
  parula Amazon Linux 2
  rhinoceros CentOS 7.1
  shelduck SUSE 12SP5
  siskin RHEL 7.9
  snakefly Amazon Linux 2

The RHEL7-alikes are the biggest set, but that's already discussed
above. Looks like SUSE 12 goes EOL later this year (October 2024), and
it ships OpenSSL 1.1.1 as an option. Already-dead distros are Ubuntu
16.04 (April 2021), Photon 2 (January 2023), and Photon 3 (March
2024). That leaves AL2, OpenIndiana Hipster, and Solaris 11.4, all of
which appear to have newer versions of OpenSSL shipped and selectable.

--Jacob



Commits

Same data as JSON: GET /api/v1/messages/:b64id/commits the thread's linked commits as JSON, with link sources. API reference →
  1. Remove obsolete unconstify()

  2. Only perform pg_strong_random init when required

  3. Remove support for OpenSSL older than 1.1.0

  4. Support SSL_R_VERSION_TOO_LOW when using LibreSSL

  5. Support disallowing SSL renegotiation when using LibreSSL

  6. Doc: Use past tense for things which happened in the past

  7. Remove support for OpenSSL 1.0.1

  8. Remove support for OpenSSL 0.9.8 and 1.0.0